PIN Numbers Are Vulnerable to Hackers

Hackers stole PIN codes from a network of Citibank ATMs located in 7-Eleven stores, allegedly stealing millions of dollars and revealing a major flaw in Citibank’s security efforts.

According to recent court filings, the hackers were able to steal the money and access PINs ““ numeric passwords used by customers to access their accounts ““ by attacking the back-end computers responsible for approving cash withdrawals.

The infrastructures of ATM systems are increasingly being built on Microsoft Corp.’s Windows operating system, which allows them to be diagnosed and repaired via the Internet. Despite industry standards that call for protecting PINs with strong encryption – which means encoding them to cloak them to outsiders – some ATM operators apparently aren’t properly doing that.

The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

“PINs were supposed be sacrosanct – what this shows is that PINs aren’t always encrypted like they’re supposed to be,” said Avivah Litan, a security analyst with the Gartner research firm. “The banks need much better fraud detection systems and much better authentication.”

The case involving ATMs at 7-Eleven convenience stores has brought three people – Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva – before a U.S. District Court for the Southern District of New York. It is still unclear how many Citibank customers’ accounts may have been tampered with during the breach, which extended at least from October 2007 to March of this year.

Citibank has almost 5,700 ATMs in 7-Eleven stores throughout the U.S., but it does not own or operate any of them. Houston-based Cardtronics Inc. owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc. operates the others.

Investigators still haven’t publicly discussed exactly how the hackers were able to steal the PINs, all that’s known is they broke into the ATM network through a server at a remote third-party processor.

They could have gained administrative access to the machines – which means they had carte blanche to grab information – through a flaw in the network or by figuring out those computers’ passwords. Or it’s possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

So, there have been no visible signs of tampering they could detect, unlike previous heists in which thieves used more noticeable methods such as sending “phishing” e-mails or installing false-front keypads on ATMs.

Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an “alarming” spike in the number of attacks on back-end computers for ATM networks over the past year.

“This was fairly large, but I don’t think it’s anything out of the ordinary – these kinds of scams go on every day,” Jackson said. “What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren’t reported.”

Each of the hackers have been indicted on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.

Citibank, part of Citigroup Inc., said it notified affected customers and issued them new debit cards.

“We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” the bank said in a statement.